Anyone with a modicum of security sense knows that if you get an email that looks suspicious, you don't click on any included links. Most people also know to watch out for phishing scams that come in via social networks -- phishing attacks are expected in these mediums. What many might not expect is to run across phishing links in their Google Calendar.
Hackers have realized that they can take advantage of default calendar settings to plant their own events that are tainted with phishing links onto a user's computer. Since Google Calendar entries have notifications tied to them, the user gets notifications that seem legitimate and can lead to the user clicking through to a nefarious link and giving up information that can result in further attacks.
The attack was discovered by Kaspersky researchers who note that most of the phishing entries they have seen have links to fake surveys with short descriptions. The researchers specifically note descriptions like "You've received a cash reward," or "There's a money transfer in your name."
Some of the the links ask for credit card information and for the user to send a small amount of money for a chance to win a more significant amount. The phishing attackers can also set the notification in the calendar to send the same message many times until the user clicks the link or deletes the invitation. Kaspersky researchers say that the delivery method is "quite new" and growing.
The novel part of the attack is how many people can be messaged by the attackers all at once. Google Calendar users can protect themselves by changing some of their settings. This is done by opening Google Calendar settings on a desktop browser. Then go to Event Settings -> Automatically Add Invitations and select "No, only show invitations to which I've responded." Researchers also suggest turning off "Show Declined Events" under View Options. In May, Google started offering replacements for its Titan security key after it was discovered that the keys could be hacked.